Malicious javascript compromise on npmjs.com
-
Malicious javascript compromise on npmjs.com
These packages, about a billion downloads prior
supports-hyperlinks
chalk-template
simple-swizzle
slice-ansi
error-ex
is-arrayish
wrap-ansi
backslash
color-string
color-convert
color
color-nameThread follows.
Example change and download stats on one of the 12 packages changed, incident started about 2 hours ago.
-
Example change and download stats on one of the 12 packages changed, incident started about 2 hours ago.
Example copy of one of the inserted JS: https://pastebin.com/bwLZrq02
-
Example copy of one of the inserted JS: https://pastebin.com/bwLZrq02
Just reported to NPM, they work on it.
-
Just reported to NPM, they work on it.
Derek's caught it too https://infosec.exchange/@derekheld/115169311485030806
-
Derek's caught it too https://infosec.exchange/@derekheld/115169311485030806
It's a cryptocurrency wallet drainer, RIP a load of devops dudes crypto.
-
It's a cryptocurrency wallet drainer, RIP a load of devops dudes crypto.
NPM on it, some packages nuked, more being nuked
-
NPM on it, some packages nuked, more being nuked
If you want an idea of scale of trojan attempt - 'color' alone had 32m downloads in a week, the combined attempt was pushing a billion due to upstream dependencies.
Hunt tip: look for registry.npmjs.org in proxy logs, package names are in the URLs.
-
If you want an idea of scale of trojan attempt - 'color' alone had 32m downloads in a week, the combined attempt was pushing a billion due to upstream dependencies.
Hunt tip: look for registry.npmjs.org in proxy logs, package names are in the URLs.
additional backdoored packages
ansi-styles
debug
chalk
supports-color
strip-ansi
ansi-regex
has-ansi -
additional backdoored packages
ansi-styles
debug
chalk
supports-color
strip-ansi
ansi-regex
has-ansiWeekly download stats for impacted packages prior to incident
ansi-styles (371.41m)
debug (357.6m)
backslash (0.26m)
chalk-template (3.9m)
supports-hyperlinks (19.2m)
has-ansi (12.1m)
simple-swizzle (26.26m)
color-string (27.48m)
error-ex (47.17m)
color-name (191.71m)
is-arrayish (73.8m)
slice-ansi (59.8m)
color-convert (193.5m)
wrap-ansi (197.99m)
ansi-regex (243.64m)
supports-color (287.1m)
strip-ansi (261.17m)
chalk (299.99m)Total 2674m
-
Weekly download stats for impacted packages prior to incident
ansi-styles (371.41m)
debug (357.6m)
backslash (0.26m)
chalk-template (3.9m)
supports-hyperlinks (19.2m)
has-ansi (12.1m)
simple-swizzle (26.26m)
color-string (27.48m)
error-ex (47.17m)
color-name (191.71m)
is-arrayish (73.8m)
slice-ansi (59.8m)
color-convert (193.5m)
wrap-ansi (197.99m)
ansi-regex (243.64m)
supports-color (287.1m)
strip-ansi (261.17m)
chalk (299.99m)Total 2674m
Phishing email sent to maintainers, they basically targeted people with 2FA by getting them to.. reset their 2FA.
-
Phishing email sent to maintainers, they basically targeted people with 2FA by getting them to.. reset their 2FA.
Developer confirms they fell for phishing email
It looks like others have too, found one other compromised repo from a different user, will have a dig tomorrow as bored of cyber tonight.
https://bsky.app/profile/bad-at-computer.bsky.social/post/3lydioq5swk2y
-
Developer confirms they fell for phishing email
It looks like others have too, found one other compromised repo from a different user, will have a dig tomorrow as bored of cyber tonight.
https://bsky.app/profile/bad-at-computer.bsky.social/post/3lydioq5swk2y
For anybody confused about how this happens, basically:
- For about the past 15 years every business has been developing apps by pulling in 178 interconnected libraries written by 24 people in a shed in Skegness
- For about the past 2 years orgs have been buying AI vibe coding tools, where some exec screams "make online shop" into a computer and 389 libraries are added and an app is farted out
The output = if you want to own the world's companies, just phish one guy in Skegness
-
M monkee@other.li shared this topic
